If your business offers products or services to residents of the European Union, you may be required to appoint a Data Protection Officer.
The General Data Protection Regulation (“GDPR”), which takes effect on May 25, 2018, addresses data protection for individuals within the EU, and addresses export of personal data outside the EU. The GDPR, which will replace the 1995 EU Data Protection Directive, provides a modernized, accountability-based compliance framework for data protection in Europe. Data processors will be subject to financial penalties for failure to comply with the requirements in the GDPR.
The GDPR applies to entities based outside the EU if the entity processes personal data of EU residents, where that processing is related to offering goods or services to the EU residents or monitoring the behavior of EU residents. “Personal data” is any information that relates to an identified or identifiable natural person, such as a name, a photo, an email address, bank details, medical information, biometric data such as fingerprints and retina scans, and unique online identifiers such as IP addresses, geo-location data, and mobile device identifiers.
The GDPR requires that a Data Protection Officer be appointed where:
- the core activities of the entity consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale;
- the core activities of the entity consist of processing on a large scale of special categories of sensitive data (i.e., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning health, sex life, or sexual orientation); or
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
The December 2016 Guidelines on Data Protection Officers further explained that “core activities” are the key operations necessary to achieve the controller’s or processor’s goals. For example, according to these Guidelines, because a hospital could not provide healthcare safely and effectively without processing health data such as patient health records, processing this data should be considered one of any hospital’s core activities, and so hospitals falling within the scope of the GDPR must therefore designate a Data Protection Officer.
A Data Protection Officer either may be employed by the entity or may work for a third party (such as a law firm or another third party consultant), and must have “expert knowledge of data protection law and practices”. Some of the Data Protection Officer’s duties include monitoring compliance with the GDPR and other applicable privacy laws and informing the entity of its legal obligations relating to such laws, implementing and monitoring compliance with the entity’s data-related policies, monitoring the entity’s data privacy and security-related training and audits, and acting as the point of contact to both individual data subjects and regulators.
The GDPR also imposes requirements upon applicable entities even if a Data Protection Officer is not required. For example, it requires that the entity controlling or collecting the data comply with principles relating to data quality, and implement appropriate technical and organizational measures against unlawful destruction, disclosure, or access. It also imposes requirements upon entities to notify affected EU residents in the event of a data breach.
Regardless of whether your business currently operates within the EU or collects personal information regarding EU residents, the following actions will help your business handle and process personal data:
- Develop or update a privacy program that is in compliance with both local and international law;
- Retain personnel who are qualified to oversee the business’ privacy practices and ensure compliance with applicable laws and internal policies;
- Develop data security strategies, and implement related policies and procedures that will ensure that reasonable security measures are taken; and
- Evaluate data breach response preparedness, so that the business is ready to promptly respond to security breaches.
Conflicts between the GDPR and US law will need to be resolved, but it is unwise for US businesses to delay preparations that will enable them to comply with the GDPR when it takes effect next year.